System and method for an endpoint hardware assisted network firewall in a security environment

US 10,103,892 B2
Filed: 01/06/2017
Issued: 10/16/2018
Est. Priority Date: 01/23/2013
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer-readable medium that includes code for execution and when executed by at least one processor is operable to perform operations to:

receive a traffic flow at a tamper resistant environment on a host from an application executing on the host, wherein the tamper resistant environment is separated from an operating system of the host by (a) running on a chipset that does not include a processor running the operating system of the host, or (b) running on a dedicated virtual machine within a virtualization environment on the host;

monitor, by a virtualization environment on the host, a memory of the host;

identify a memory condition;

request control of the memory;

obtain information associated with the application by accessing the memory;

send the information associated with the application from the virtualization environment to the tamper resistant environment;

receive information associated with the application at the tamper resistant environment from the virtualization environment on the host;

create a modified traffic flow by adding the information associated with the application to the received traffic flow and by adding a device identifier of the host to the received traffic flow; and

send the modified traffic flow to a server.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment and includes receiving a traffic flow at a tamper resistant environment from an application, where the tamper resistant environment is separated from a host operating system. The method also includes applying a security token to the traffic flow and sending the traffic flow to a server. In specific embodiments, a security module may add information about the application to traffic flow. A trapping module may monitor for a memory condition and identify the memory condition. The trapping module may also, responsive to identifying the memory condition, initiate a virtual environment for the application, and check the integrity of the traffic flow.

23 Citations

13 Claims

1. At least one non-transitory computer-readable medium that includes code for execution and when executed by at least one processor is operable to perform operations to:
- receive a traffic flow at a tamper resistant environment on a host from an application executing on the host, wherein the tamper resistant environment is separated from an operating system of the host by (a) running on a chipset that does not include a processor running the operating system of the host, or (b) running on a dedicated virtual machine within a virtualization environment on the host;
  
  monitor, by a virtualization environment on the host, a memory of the host;
  
  identify a memory condition;
  
  request control of the memory;
  
  obtain information associated with the application by accessing the memory;
  
  send the information associated with the application from the virtualization environment to the tamper resistant environment;
  
  receive information associated with the application at the tamper resistant environment from the virtualization environment on the host;
  
  create a modified traffic flow by adding the information associated with the application to the received traffic flow and by adding a device identifier of the host to the received traffic flow; and
  
  send the modified traffic flow to a server.
- View Dependent Claims (2, 3)
- - 2. The at least one non-transitory computer-readable medium of claim 1, wherein the memory condition is identified based on a certain memory location in the memory of the host being accessed.
  - 3. The at least one non-transitory computer-readable medium of claim 1, wherein the virtualization environment includes a second tamper resistant environment separated from the other tamper resistant environment.

4. At least one non-transitory computer-readable medium that includes code for execution and when executed by at least one processor, is operable to perform operations to:
- receive a traffic flow at a tamper resistant environment on a host from an application executing on the host, wherein the tamper resistant environment is separated from an operating system of the host by (a) running on a chipset that does not include a processor running the operating system of the host, or (b) running on a dedicated virtual machine within a virtualization environment on the host;
  
  derive a security token by the tamper resistant environment, wherein the security token is derived from an enhanced privacy identification to attest that the tamper resistant environment is trusted;
  
  create a modified traffic flow by adding information associated with the application to the received traffic flow, adding a device identifier of the host, and applying the security token to the traffic flow; and
  
  send the modified traffic flow to a server.

5. At least one non-transitory computer-readable medium that includes code for execution and when executed by at least one processor is operable to perform operations to:
- receive a traffic flow at a tamper resistant environment on a host from an application executing on the host, wherein the tamper resistant environment is separated from an operating system of the host by (a) running on a chipset that does not include a processor running the operating system of the host, or (b) running on a dedicated virtual machine within a virtualization environment on the host;
  
  derive a security token by the tamper resistant environment;
  
  create a modified traffic by;
  
  adding information, including metadata, associated with the application to the received traffic flow;
  
  adding a device identifier of the host;
  
  applying the security token to the received traffic flow; and
  
  digitally signing the metadata using public key cryptography; and
  
  send the modified traffic flow to a server.

6. At least one non-transitory computer-readable medium that includes code for execution and when executed by at least one processor is operable to perform operations to:
- receive a traffic flow at a tamper resistant environment on a host from an application executing on the host, wherein the tamper resistant environment is separated from an operating system of the host by (a) running on a chipset that does not include a processor running the operating system of the host, or (b) running on a dedicated virtual machine within a virtualization environment on the host;
  
  create a modified traffic flow by adding information associated with the application to the received traffic flow and by adding a device identifier of the host to the received traffic flow;
  
  send the modified traffic flow to a server;
  
  monitor a memory of the host for a memory condition;
  
  identify the memory condition;
  
  assign the application to a virtual machine in the virtualization environment based, at least in part, on identifying the memory condition;
  
  trap, in the virtualization environment, process events associated with the traffic flow; and
  
  check the integrity of the traffic flow before the traffic flow is delivered to the tamper resistant environment.
- View Dependent Claims (7, 8, 9)
- - 7. The at least one non-transitory computer-readable medium of claim 6, wherein the code for monitoring for the memory condition, when executed by the at least one processor, is operable to perform further operations to:
    - monitor regions of the memory associated with buffers used to send data for the memory condition.
  - 8. The at least one non-transitory computer-readable medium of claim 6, wherein the code, when executed by the at least one processor, is operable to perform further operations to:
    - initiate the virtualization environment for the application by assigning the application to the virtual machine randomly based, at least in part, on identifying the memory condition.
  - 9. The at least one non-transitory computer-readable medium of claim 6, wherein the code, when executed by the processor, is operable to perform further operations to:
    - fire a virtualization trap based on a condition being asserted according to a configured probabilistic configuration.

10. An apparatus comprising:
- at least one processor;
  
  a security engine including a tamper resistant environment coupled to the at least one processor to;
  
  receive a traffic flow from an application executing on the apparatus, wherein the tamper resistant environment is separated from an operating system of the apparatus by (a) running on a chipset that does not include a processor running the operating system of the host, or (b) running on a dedicated virtual machine within a virtualization environment on the host;
  
  create a modified traffic flow by adding information associated with the application to the received traffic flow and by adding a device identifier of the apparatus to the received traffic flow; and
  
  send the modified traffic flow to a server; and
  
  a virtualization environment coupled to the processor to;
  
  monitor a memory of the host;
  
  identify a memory condition;
  
  request control of the memory based on identifying the memory condition;
  
  obtain the information associated with the application by accessing the memory; and
  
  send the information to the tamper resistant environment.

11. An apparatus, comprising:
- at least one processor; and
  
  a security engine including a tamper resistant environment coupled to the at least one processor to;
  
  receive a traffic flow from an application executing on the apparatus, wherein the tamper resistant environment is separated from an operating system of the apparatus by (a) running on a chipset that does not include a processor running the operating system of the host, or (b) running on a dedicated virtual machine within a virtualization environment on the host;
  
  derive a security token;
  
  create a modified traffic flow by;
  
  adding information, including metadata, associated with the application to the received traffic flow;
  
  adding a device identifier of the apparatus to the received traffic flow;
  
  applying the security token to the traffic flow; and
  
  digitally singing the metadata using public key cryptography; and
  
  send the modified traffic flow to a server.

12. An apparatus, comprising:
- at least one processor; and
  
  a security engine including a tamper resistant environment coupled to the at least one processor to;
  
  receive a traffic flow from an application executing on the apparatus, wherein the tamper resistant environment is separated from an operating system of the apparatus by (a) running on a chipset that does not include a processor running the operating system of the host, or (b) running on a dedicated virtual machine within a virtualization environment on the host;
  
  create a modified traffic flow by adding information associated with the application to the received traffic flow and by adding a device identifier of the apparatus to the received traffic flow; and
  
  send the modified traffic flow to a server; and
  
  a trapping module configured to;
  
  monitor a memory of the host for a memory condition;
  
  identify the memory condition;
  
  assign the application to a virtual machine in the virtualization environment based, at least in part, on identifying the memory condition;
  
  trap, in the virtual environment, process events associated with the traffic flow; and
  
  check the integrity of the traffic flow before the traffic flow is delivered to the tamper resistant environment.

13. A method comprising:
- receiving a traffic flow at a tamper resistant environment on a host from an application executing on the host, wherein the tamper resistant environment is separated from an operating system of the host by (a) running on a chipset that does not include a processor running the operating system of the host, or (b) running on a dedicated virtual machine within a virtualization environment on the host;
  
  monitoring, by a virtualization environment on the host, a memory of the host;
  
  identifying a memory condition;
  
  requesting control of the memory;
  
  obtaining information associated with the application by accessing the memory;
  
  sending the information from the virtualization environment to the tamper resistant environment;
  
  receiving information associated with the application at the tamper resistant environment from the virtualization environment on the host;
  
  creating a modified traffic flow by adding the information associated with the application to the received traffic flow and by adding a device identifier of the host to the received traffic flow; and
  
  sending the modified traffic flow from the tamper resistant environment to a server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, LLC
Inventors
Grobman, Steve, Samani, Raj, Arkin, Ofir, Schrecker, Sven
Primary Examiner(s)
Williams, Jeffery

Application Number

US15/400,311
Publication Number

US 20170126413A1
Time in Patent Office

648 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 9/45558   Hypervisor-specific managem...

H04L 45/74   Address processing for routing

H04L 63/0227   Filtering policies mail mes...

H04L 63/0245   Filtering by information in...

H04L 63/0823   using certificates cryptogr...

H04L 63/123   received data contents, e.g...

H04L 63/1483   service impersonation, e.g....

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3247   involving digital signatures

System and method for an endpoint hardware assisted network firewall in a security environment

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for an endpoint hardware assisted network firewall in a security environment

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links